diff options
author | Guido Trentalancia <guido@trentalancia.com> | 2023-09-13 15:32:31 +0200 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2023-10-06 11:26:32 -0400 |
commit | cb143f042e9cfc5141388785bbb9b6e2f4f6c700 (patch) | |
tree | 022be0ed68b544a2371cfee5f357ec8dd04f566e | |
parent | For systemd-hostnamed service to run (diff) | |
download | hardened-refpolicy-cb143f042e9cfc5141388785bbb9b6e2f4f6c700.tar.gz hardened-refpolicy-cb143f042e9cfc5141388785bbb9b6e2f4f6c700.tar.bz2 hardened-refpolicy-cb143f042e9cfc5141388785bbb9b6e2f4f6c700.zip |
Fix the recently introduced "logging_syslog_can_network" tunable policy, by including TCP/IP socket creation permissions.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/system/logging.te | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 3cadba881..0b3e75fca 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -408,8 +408,6 @@ allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; -allow syslogd_t self:udp_socket create_socket_perms; -allow syslogd_t self:tcp_socket create_stream_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; allow syslogd_t syslog_conf_t:dir list_dir_perms; @@ -583,6 +581,8 @@ ifdef(`distro_ubuntu',` tunable_policy(`logging_syslog_can_network',` allow syslogd_t self:capability { net_admin }; + allow syslogd_t self:tcp_socket create_stream_socket_perms; + allow syslogd_t self:udp_socket create_socket_perms; corenet_all_recvfrom_netlabel(syslogd_t) corenet_udp_sendrecv_generic_if(syslogd_t) |